Main navigation

How to avoid the GDPR and MiFID II clash

Firms are under unprecedented pressure to meet the demands of MiFID II by next January. But amidst the ongoing preparations, and discussions another EU regulation, General Data Protection Regulation (GDPR), is lurking in the background.

GDPR is the most significant change in data privacy regulation rules since the Data Protection act of 1998 and comes into effect on 25th May next year.

Building on the previous act, GDPR will strengthen and unify data protection for all individuals within the EU ensuring that their data is being used in an appropriate way which they have consented to.

It will see significantly higher fines than previously issued for non-compliance (equal to 4 per cent of global turnover) and businesses will now be obligated to notify the regulator, and the individuals affected, if there is a data breach.

Data, the recording and tracking of it, is at the heart of MiFID II and GDPR, firms must take a holistic view of IT compliance to ensure that data protection and security is at the heart of everything they do, but on the face of it some of these rules can appear contradictory.

Many of the concerns that GDPR will clash with MiFID II centre around the "right to be forgotten" (or “right to erasure” to give it the correct title), which GDPR promises for data subjects (the term which we give to anyone having their data collected).

This is not the case.

Data subjects do not have a right to be forgotten when it comes to financial services.

MiFID II, (as well as suitability, anti-money laundering and pension rules) requires the retention of data for years after an account is closed.

GDPR doesn't contradict this but says that you should only store the data you need for as long as you need it.

It also allows the right to hold data in order to defend any legal claims, something which is vital as firms face the threat of mis-selling allegations.

However, crucially GDPR says that individuals do have the right to stop firms from using their details for other purposes such as targeting them with new products and services.

Despite the fact that the regulations do not necessarily clash, directives such as MiFID II do mean you need to store more data, hold it for longer and share it with multiple parties.

Recognising these nuances is crucial for firms to understand how these regulations must be observed in tandem.

Firms need to look at how they share data with other data processors they may employ and any other third parties (e.g. IFAs and the regulator) as well as with the investors themselves.

Gone are the days of emailing spreadsheets of data around. Firms must prepare and should be looking at systems that can employ secure methods of communications to ensure that such important data is available only to those authorised to have it.

So don’t make the mistake of focusing solely on MiFID II.

It is essential that data protection is part of the very fabric of your organisation.

Any new processes and systems rushed in for MiFID II need to employ “privacy by design” and “privacy by default”. Data protection cannot be viewed as a bolt-on afterthought in your organisation. The risk of falling foul of the regulator, or ruining your reputation, is huge.